From 19dd4963174198c3777563833300822f70ad0e72 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 3 Jul 2023 14:00:03 +0100 Subject: [PATCH 01/14] feat: enable mariner vulnerability provider by default Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 941c4d13..bcddecca 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -172,6 +172,8 @@ data: {{- end }} sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} + mariner: + enabled: {{ default true (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} msrc: enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} From 084289a2ad8bfa6260920271963690c476fa5370 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 3 Jul 2023 15:31:18 +0100 Subject: [PATCH 02/14] chore: bump dev chart version Signed-off-by: Weston Steimel --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 54cdeb94..ebaa78f8 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.6 +version: 1.27.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From c53fe9cb59dc5b2ddb4a640ef88fd950d46e4b14 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 12 Jul 2023 13:28:32 -0400 Subject: [PATCH 03/14] change mariner true value to string Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index bcddecca..abe5e3ab 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -173,7 +173,7 @@ data: sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} mariner: - enabled: {{ default true (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} msrc: enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} From ce3673925c264517ec9aaa3cd915cdb53d0065e1 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Thu, 13 Jul 2023 12:17:04 -0400 Subject: [PATCH 04/14] chore: add required versions to readme Signed-off-by: Christopher Phillips --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 532cc939..d3774568 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ This repository contains Helm charts for deploying [Anchore](https://www.anchore ## Prerequisites -- [Helm](https://helm.sh/) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. -- [Kubernetes](https://kubernetes.io/) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. +- [Helm](https://helm.sh/) (>=3.8) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. +- [Kubernetes](https://kubernetes.io/) (>=1.25) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. ## Installation From 7ebd07e285da10f563015878c2f33cfb5b4673cd Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 09:58:06 -0400 Subject: [PATCH 05/14] updating ecs image Signed-off-by: Hung Nguyen --- stable/ecs-inventory/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index f19cd0f9..09ef6f7f 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -7,9 +7,10 @@ ## replicaCount: 1 -## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI +## @param image Image used for all Ecs Inventory deployment deployments +## use docker.io/anchore/ecs-inventory:v1.1.0-fips if you want an image built for fips use ## -image: "docker.io/anchore/ecs-inventory:v1.0.0" +image: "docker.io/anchore/ecs-inventory:v1.1.0" ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From f8cb505a978b6dc232a629d791ff47dd7d80f909 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 09:59:43 -0400 Subject: [PATCH 06/14] updating k8s-inventory tag Signed-off-by: Hung Nguyen --- stable/k8s-inventory/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 6cae8857..c449527d 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -10,11 +10,12 @@ replicaCount: 1 ## @param image.pullPolicy Image pull policy used by the K8s Inventory deployment ## @param image.repository Image used for the K8s Inventory deployment ## @param image.tag Image tag used for the K8s Inventory deployment +## use tag v1.0.2-fips if you want an image built for fips use ## image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.0.0" + tag: "v1.0.2" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## From 55380ccc4866ceb27dda3e9f68dfe8d43f5b85c8 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 10:00:47 -0400 Subject: [PATCH 07/14] bumping chart version Signed-off-by: Hung Nguyen --- stable/ecs-inventory/Chart.yaml | 2 +- stable/k8s-inventory/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index a4d302c4..87596fe2 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.2 +version: 0.0.3 appVersion: "1.0.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index c9216728..daf843fb 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.2 +version: 0.0.3 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: From a7aa5a71b1dc607595bbb27a3c550fe099238f1d Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 10:20:56 -0400 Subject: [PATCH 08/14] update image comment for ecs-inventory and k8s-inventory Signed-off-by: Hung Nguyen --- stable/ecs-inventory/values.yaml | 2 +- stable/k8s-inventory/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index 09ef6f7f..ce4624ef 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -8,7 +8,7 @@ replicaCount: 1 ## @param image Image used for all Ecs Inventory deployment deployments -## use docker.io/anchore/ecs-inventory:v1.1.0-fips if you want an image built for fips use +## use docker.io/anchore/ecs-inventory:v1.1.0-fips-amd64 if you want an image built for fips use ## image: "docker.io/anchore/ecs-inventory:v1.1.0" diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index c449527d..0e81749d 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -10,7 +10,7 @@ replicaCount: 1 ## @param image.pullPolicy Image pull policy used by the K8s Inventory deployment ## @param image.repository Image used for the K8s Inventory deployment ## @param image.tag Image tag used for the K8s Inventory deployment -## use tag v1.0.2-fips if you want an image built for fips use +## use tag v1.0.2-fips-amd64 if you want an image built for fips use ## image: pullPolicy: "IfNotPresent" From b793fef3ac239725db9324539c2fb73699e8bf2b Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 17 Aug 2023 09:43:40 +0100 Subject: [PATCH 09/14] feat: bump to latest k8s-inventory version Signed-off-by: Bradley Jones --- stable/k8s-inventory/Chart.yaml | 2 +- stable/k8s-inventory/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index daf843fb..85002f75 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.3 +version: 0.0.4 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 0e81749d..2438eb41 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -15,7 +15,7 @@ replicaCount: 1 image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.0.2" + tag: "v1.1.1" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## From 01dab04807edc8fc7ab587302aabb8e3eb3b62a2 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 17 Aug 2023 10:20:23 -0400 Subject: [PATCH 10/14] updating for enterprise 4.9 Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/engine_configmap.yaml | 2 ++ stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 7c3d95f0..fde3c424 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -67,6 +67,8 @@ data: # Defines a maximum compressed image size (MB) to be added for analysis # Value < 0 disables feature. Disabled by default max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + max_source_import_size_mb: {{ default 100 .Values.anchoreGlobal.maxSourceImportSizeMB }} + max_import_content_size_mb: {{ default 100 .Values.anchoreGlobal.maxImportContentSizeMB }} # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 84b351e6..3ff6c7c8 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -760,7 +760,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.8.1 + image: docker.io/anchore/enterprise:v4.9.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1124,7 +1124,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.8.0 + image: docker.io/anchore/enterprise-ui:v4.9.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From abb86ad43b1cf31b0df5f48a68d83a3e2de3861a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 08:57:47 -0700 Subject: [PATCH 11/14] update readme Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1e96193e..1a60793b 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.27.0 + +* Anchore Enterprise image updated to v4.9.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/490/) + # Chart Version 1.26.3 * Anchore Enterprise image updated to v4.8.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/481/) @@ -527,6 +531,7 @@ metadata: name: anchore-enterprise-ui-env type: Opaque stringData: + # if using TLS to connect to Postgresql you must add the ?ssl=[require|verify-ca|verify-full] parameter to the end of the URI ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore ANCHORE_REDIS_URI: redis://nouser:anchore-redis,123@anchore-ui-redis-master:6379 ``` From 8b94131203d5d869fc22637d74d0b0197171f9e5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:06:07 -0700 Subject: [PATCH 12/14] bump kind node images to test k8s 1.25 -> 1.28 Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4cbb87f8..dfd7cbae 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.19.16", "v1.22.0", "v1.25.0"] + kubernetesVersion: ["v1.25.11", "1.26.6", "1.27.3", "1.28.0"] runs-on: ubuntu-latest steps: - name: Checkout From df2b10dc6ae809549be9c3d8e6c7642111f4d7e7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:09:02 -0700 Subject: [PATCH 13/14] use kind node images that match what k8s versions are available on EKS Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index dfd7cbae..a6792ae3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.25.11", "1.26.6", "1.27.3", "1.28.0"] + kubernetesVersion: ["v1.23.17", "v1.24.14", "v1.25.11", "1.26.6", "1.27.3"] runs-on: ubuntu-latest steps: - name: Checkout From 43b72c022cec0ec90691a0593761db1f89a32484 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:12:35 -0700 Subject: [PATCH 14/14] fix typos on kind node tags Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a6792ae3..42586b41 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -2,13 +2,12 @@ name: "Test using kind and chart-testing tool" on: - pull_request - jobs: test: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.23.17", "v1.24.14", "v1.25.11", "1.26.6", "1.27.3"] + kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"] runs-on: ubuntu-latest steps: - name: Checkout